fix: update dagre-d3-es patch hash to prevent prototype pollution

2025-10-10 01:29:49 +02:00 · 2025-10-09 12:19:11 +05:30
parent b945696721
commit 3feb4e5551
2 changed files with 7 additions and 26 deletions
--- a/patches/dagre-d3-es@7.0.11.patch
+++ b/patches/dagre-d3-es@7.0.11.patch
@@ -1,8 +1,8 @@
 diff --git a/src/dagre/position/bk.js b/src/dagre/position/bk.js
-index d4aabdcef2c788873b799489cf27d48aaa0a2ee6..3f4e140dfd9f8f3f365300f04c087bc648868345 100644
+index d4aabdcef2c788873b799489cf27d48aaa0a2ee6..72beff8b3830f1e3241455400f68843888b60a06 100644
 --- a/src/dagre/position/bk.js
 +++ b/src/dagre/position/bk.js
-@@ -129,13 +129,35 @@ function findOtherInnerSegmentNode(g, v) {
+@@ -129,6 +129,16 @@ function findOtherInnerSegmentNode(g, v) {
   }
 }
 
@@ -13,40 +13,21 @@ index d4aabdcef2c788873b799489cf27d48aaa0a2ee6..3f4e140dfd9f8f3f365300f04c087bc6
 + */
 +function isSafeKey(key) {
 +  // Reject prototype pollution vectors
-+  var isSafe = key !== '__proto__' && key !== 'constructor' && key !== 'prototype';
-+  if (!isSafe) {
-+    console.log('[dagre-d3-es SECURITY] Blocked prototype pollution attempt with key:', key);
-+  }
-+  return isSafe;
+  return key !== '__proto__' && key !== 'constructor' && key !== 'prototype';
 +}
 +
 function addConflict(conflicts, v, w) {
-+  console.log('[dagre-d3-es] addConflict called with v:', v, 'w:', w);
-+
   if (v > w) {
     var tmp = v;
-     v = w;
+@@ -136,6 +146,11 @@ function addConflict(conflicts, v, w) {
     w = tmp;
   }
 
 +  // Validate keys to prevent prototype pollution
 +  if (!isSafeKey(v) || !isSafeKey(w)) {
-+    console.log('[dagre-d3-es SECURITY] addConflict blocked for keys v:', v, 'w:', w);
 +    return;
 +  }
 +
   var conflictsV = conflicts[v];
   if (!conflictsV) {
     conflicts[v] = conflictsV = {};
-@@ -149,6 +171,11 @@ function hasConflict(conflicts, v, w) {
-     v = w;
-     w = tmp;
-   }
-+  // Validate keys to prevent prototype pollution
-+  if (!isSafeKey(v) || !isSafeKey(w)) {
-+    console.log('[dagre-d3-es SECURITY] hasConflict blocked for keys v:', v, 'w:', w);
-+    return false;
-+  }
-   return !!conflicts[v] && Object.prototype.hasOwnProperty.call(conflicts[v], w);
- }
- 
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -6,7 +6,7 @@ settings:

 patchedDependencies:
  dagre-d3-es@7.0.11:
-    hash: 86dd75cdc907d2e31dd8935b6b90eb5d86fa1cdb918a417f1adbc052d1e6cebe
+    hash: 9305508c97f786851c4d8a847b5dbb3e46e759f964305997bd486f8745290188
    path: patches/dagre-d3-es@7.0.11.patch
  roughjs:
    hash: 3543d47108cb41b68ec6a671c0e1f9d0cfe2ce524fea5b0992511ae84c3c6b64
@@ -255,7 +255,7 @@ importers:
        version: 0.12.3
      dagre-d3-es:
        specifier: 7.0.11
-        version: 7.0.11(patch_hash=86dd75cdc907d2e31dd8935b6b90eb5d86fa1cdb918a417f1adbc052d1e6cebe)
+        version: 7.0.11(patch_hash=9305508c97f786851c4d8a847b5dbb3e46e759f964305997bd486f8745290188)
      dayjs:
        specifier: ^1.11.18
        version: 1.11.18
@@ -15164,7 +15164,7 @@ snapshots:
      d3-transition: 3.0.1(d3-selection@3.0.0)
      d3-zoom: 3.0.0

-  dagre-d3-es@7.0.11(patch_hash=86dd75cdc907d2e31dd8935b6b90eb5d86fa1cdb918a417f1adbc052d1e6cebe):
+  dagre-d3-es@7.0.11(patch_hash=9305508c97f786851c4d8a847b5dbb3e46e759f964305997bd486f8745290188):
    dependencies:
      d3: 7.9.0
      lodash-es: 4.17.21